Not sure how familiar you are with managing OS X Server and the command line...
OS X Server does not directly implement a file drop-box mechanism as part of the package, though you can get there with what's provided.
It is possible to set up password-protected WebDAV folders, as one option using what is available in OS X Server. There's no GUI for setting that up, though. The command-line configuration steps are discussed in the 10.6 Web Services Technologies manual, and there are some support articles around, such as HT5374.
Setting up the sftp server is a different approach and is fairly easy, if you want to go that route. Give the folks a login on the server, and give them a certificate (or a password login), and they can then access their directory (either via the certificate or the password) to upload or download files. The remote clients would be using FileZilla or Cyberduck, or command-line sftp.
If you don't want to expose your server to remote attackers — the same path folks download and upload files is a likely path for remote attacks — a NAS box (preferably in a DMZ in your network) might provide you with what you want.
I haven't encountered an ftp-based dropbox implementation for OS X Server. (Full disclosure: I'm not a fan of ftp, not the least of which because of its incompatibilities with firewalls, and its use of cleartext for the user's access credentials.)
Various content-management systems likely offer this capability, either directly or via add-on modules.
Unless you have one kicking around and the power and cooling and acoustical and rack-space budgets to continue running it, an Xserve is overkill here.
Barring a prodigious network pipe, pushing bits up and down a typical network pipe is pretty easy. You're sites are probably going to be constrained by your network pipe, too.
A Mac Mini or Mac Mini Server — far quieter, far smaller, far more efficient — or a NAS box can both run the sorts of file services I'd expect here, and with most any typical network pipe. Options for NAS include various commercial packages, as well as open-source running on x86-class hardware you might have around.
Whatever you use, preferably configured in a DMZ to isolate the damage should there be a breach.
But yes, a purpose-tasked Xserve likely can deal with this task. The most recent Intel Xserve I was dealing with for running a number of web sites was mostly idle, even when the sites were gonzo busy. That was an old and slow Xserve quad-core, too. Pushing bytes around a network and a disk and running php code just wasn't that intensive. The box was also loud and hot, which was why that Xserve was retired from primary service and replaced with a Mac Mini Server.